After blackhole filtering is triggered on an Elastic Compute Service (ECS) instance, Alibaba Cloud discards all packets that are destined for the public IP address of the instance. You cannot access the public IP address of the instance over the Internet. You can estimate the time when blackhole filtering is automatically deactivated and wait for blackhole filtering to be automatically deactivated. In urgent scenarios, you can change the public IP address of the ECS instance or migrate your workloads to another ECS instance to quickly restore the workloads. This topic describes how to quickly restore the workloads of an ECS instance on which blackhole filtering is triggered.
After you change the public IP address of the ECS instance or migrate your workloads to another ECS instance, attackers can still obtain the new public IP address by pinging the domain name and re-launch attacks. To resolve the issue, we recommend that you purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance.
Estimate the time when blackhole filtering is automatically deactivated
If you do not purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance, you must wait for the blackhole filtering to be automatically deactivated. If you purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance, you can manually deactivate blackhole filtering for the ECS instance after you add your workloads to the instance for protection. For more information, see Deactivate blackhole filtering (Anti-DDoS Origin) and Deactivate blackhole filtering (Anti-DDoS Proxy).
View the most recent time when the ECS instance was attacked.
Log on to the Traffic Security console. On the Event Center page, find the public IP address of the ECS instance and click View Details to view the most recent time when the ECS instance was attacked.
NoteIf an asset receives multiple DDoS attacks, the duration of blackhole filtering is calculated after the last DDoS attack stops.
View the duration of blackhole filtering.
On the Assets page, view the duration of blackhole filtering. The duration indicates the total duration of blackhole filtering. The default duration of blackhole filtering is 2.5 hours. The actual duration ranges from 30 minutes to 24 hours based on the frequency of attacks on your asset. In rare cases, the duration may be longer.
Estimate the time when blackhole filtering is automatically deactivated.
For example, the ECS instance was attacked at 12:30 and the duration of blackhole filtering is 150 minutes. In this case, blackhole filtering is expected to be deactivated at 15:00.
NoteThe estimated time is provided for reference only. If the ECS instance receives continuous DDoS attacks, the duration of blackhole filtering may be longer.
You can wait for blackhole filtering to be automatically deactivated. In urgent scenarios, you can use one of the following solutions to quickly restore your workloads.
After you change the public IP address of the ECS instance or migrate your workloads to another ECS instance, you must modify settings such as the DNS record and database connection.
Solution 1: Change the public IP address of the ECS instance
If you frequently change the public IP address of the ECS instance on which blackhole filtering is triggered, continuous attack traffic may cause risks to the cloud platform. In this case, your Alibaba Cloud account becomes restricted and you cannot perform operations such as purchasing new instances.
Change the elastic IP address (EIP) of the ECS instance
(Optional) Apply for a new EIP.
For more information, see Apply for an EIP.
Disassociate the current EIP from the ECS instance.
For more information, see Disassociate an EIP from a cloud resource.
ImportantAfter you disassociate a pay-as-you-go EIP from a cloud resource, you are still charged an EIP configuration fee. To avoid unnecessary charges, release the EIP.
For information about EIP configuration fees, see Pay-as-you-go.
For information about how to release a pay-as-you-go EIP, see Release a pay-as-you-go EIP.
If you no longer need a pay-as-you-go EIP after you disassociate the EIP from a cloud resource, you can unsubscribe from the EIP. For more information, see Rules for unsubscribing from resources.
Associate the new EIP with the ECS instance.
For more information, see Associate an EIP with an ECS instance.
Change the system-assigned public IP address of the ECS instance
Within 6 hours after the ECS instance is created
Log on to the ECS console. In the Actions column of the ECS instance that you want to manage, choose
> Network and Security Group > Change Public IP Address. More than 6 hours after the ECS instance is created
(Optional) If the ECS instance is a pay-as-you-go instance that uses the pay-by-bandwidth metering method for network usage, change the metering method for network usage to pay-by-traffic.
For more information, see the Change from pay-by-bandwidth to pay-by-traffic section of the "Change the billing method for network usage of an ECS instance that uses an auto-assigned IP address" topic.
Convert the system-assigned public IP address of the ECS instance into an EIP.
For more information, see Convert the public IP address of an ECS instance in a VPC to an EIP.
Disassociate the EIP from the ECS instance.
For more information, see Disassociate an EIP from a cloud resource.
ImportantAfter you disassociate a pay-as-you-go EIP from a cloud resource, you are still charged an EIP configuration fee. To avoid unnecessary charges, release the EIP.
For information about EIP configuration fees, see Pay-as-you-go.
For information about how to release a pay-as-you-go EIP, see Release a pay-as-you-go EIP.
If you no longer need a pay-as-you-go EIP after you disassociate the EIP from a cloud resource, you can unsubscribe from the EIP. For more information, see Rules for unsubscribing from resources.
Change the public bandwidth of the ECS instance to a value greater than 1 Mbit/s to allow the system to assign a new public IP address to the instance.
For more information, see Modify the bandwidth configurations of subscription instances or Modify the bandwidth configurations of pay-as-you-go instances.
Solution 2: Create an ECS instance that has the same configurations based on the image of the ECS instance on which blackhole filtering is triggered and migrate your workloads to the new ECS instance
Create a custom image for the ECS instance on which blackhole filtering is triggered. For more information, see Create a custom image.
NoteWe recommend that you regularly create snapshots for your ECS instance during O&M. If you want to quickly restore your workloads, you can use a snapshot to create a custom image to restore your workloads. For more information, see Create an automatic snapshot policy and Create a custom image from a snapshot.
Use the custom image to create an ECS instance that has the same configurations. For more information, see Create an ECS instance by using a custom image.
Solution 3: Use SMC to create another ECS instance for your workloads
Server Migration Center (SMC) is a server migration platform provided by Alibaba Cloud. We recommend that you use SMC to migrate the ECS instance on which blackhole filtering is triggered. Then, SMC generates a custom image for the ECS instance. You can use the custom image to create another ECS instance.
Import the ECS instance on which blackhole filtering is triggered to SMC as a migration source. For more information, see Step 1: Import the information about a migration source.
Create a migration task to migrate system configurations and business data to a custom image. For more information, see the topics in Step 2: Create and start a migration task.
Use the custom image to create an ECS instance that has the same configurations. For more information, see Create an ECS instance by using a custom image.
Solution 4: Log on to the ECS instance on which blackhole filtering is triggered and migrate business data
You cannot connect to an ECS instance on which blackhole filtering is triggered over the Internet. You can connect to the ECS instance by using Workbench, Session Manager, Virtual Network Computing (VNC), or another ECS instance that resides in the same virtual private cloud (VPC) as the ECS instance.
For more information about how to connect to an ECS instance by using Workbench, Session Manager, or VNC, see Connect to an instance. In this example, an ECS instance on which blackhole filtering is triggered is connected by using another ECS instance that resides in the same VPC as the ECS instance.
Usage notes
The two ECS instances must reside in the same region, same VPC, and belong to the same security group. The two ECS instances must be connected. For more information about security groups, see Overview.
Procedure
Log on to the ECS instance on which blackhole filtering is not triggered by using its private or public IP address.
Run a command or use a tool to connect to the ECS instance on which blackhole filtering is triggered by using its private IP address or public IP address.
The following table describes the common connection methods.
Operating system of the ECS instance on which blackhole filtering is triggered
Operating system of the ECS instance on which blackhole filtering is not triggered
Connection method
References
Windows
Windows
Use Microsoft Terminal Services Client (MSTSC).
Connect to a Windows instance by using a username and password
Linux
Use rdesktop.
Linux
Windows
Use PuTTY.
Linux
Run an SSH command.
ssh root@<System-assigned public IP address or EIP of the instance>Migrate business data to the ECS instance on which blackhole filtering is not triggered.
References
For more information about the Alibaba Cloud blackhole filtering policy, see Blackhole filtering policy of Alibaba Cloud.
For more information about the blackhole filtering thresholds of cloud services, such as ECS, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic.
For more information about Anti-DDoS, see What is Anti-DDoS Origin? and What is Anti-DDoS Proxy?